Hosting without port forwarding?

Discussion in 'other firewalls' started by Dragos276, Aug 7, 2008.

Thread Status:
Not open for further replies.
  1. Dragos276

    Dragos276 Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    1
    Hi, somebody recommended your site "pm me,post here or vist official forum to ask experts www.wilderssecurity.com" and I have a little problem...

    I have a Linksys router and cannot host games ( Warcraft III in internet ) because of my router. Everyone told me to use the site " www.portforward.com " but I don't want to use that method.

    Is there a way to host without portforwarding?

    Sorry for my bad english, I'm from Romania.

    Thanks in advance.
     
  2. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    The settings should be to let war3.exe to port 6112 [assuming default port for Warcraft. Personally, I changed it to an obscure port in the high 50000s.]. If you have the options in your hardware router firewall, then you might want to either open 6112, or set up some sort of trigger.

    Hope that helps.
     
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Dragos276, Welcome to Wilders.

    I believe you will need to allow inbound connections if you want to host.

    I am not an on-line game player, but did find some info on manually setting the router for your game:-

    http://www.overclock.net/faqs/98275-how-host-warcraft-iii-battlenet-games.html


    Your english is very good.

    Just ask if any questions,

    - Stem
     
  4. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Is there any reason why you specifically want to avoid port forwarding?

    You can use the "DMZ" feature of your router to host apps/games that need inbound connections. Just put your LAN IP as a DMZ host.
     
  5. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Port forwarding on the Linksys router is very easy. As long as the router obtains your public IP address, it can't be behind another router (many ISPs ship home gateways, which people "think" are just modems, but in reality are already routers).

    To DMZ your PC is detrimental to your PCs health...it puts the PC outside of your routers NAT firewall protection, so now your PC has all 65,000 plus ports fully exposed. You're under attack within minutes..might as well get out your OS CD and begin a format/reinstall.
     
  6. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Huh? What about users without NAT (modem only)? Are you suggesting they'r under constant "attacks" and doing formats all the time?
     
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I think what YeOldeStoneCat is eluding to is that NAT handles unsolicted packets, blocking them. As I would imagine you know, when a router uses NAT, unless the internal network (aka your computers) ask for something external (aka the internet/wan) then any communication being sent FROM the external TO the internal will be dropped/rejected/denied/whatever.

    StoneCat is right in that any ip, especially static like mine, is constantly port scanned. Constantly being sent packets. From everywhere. Could be other routers from your ISP, could be someone across the world. Could be 'someone' or could be a piece of hardware just doing it's job. Don't believe me? Get a router and examine the logs. Better yet, use an application that reads those logs and logs them. I can show you thousands of 'scans' from all over the world to my static ip. I don't sweat it, but for sure it is happening. I don't pretend to know the reason why, but I know that lot's of ports that are considered 'vulnerable' are the ones that are being scanned. You be the judge there.

    Point is, without NAT (this means if you set your computer as the DMZ computer, there is no NAT) then your router does nothing to stop unsolicited connection requests.

    This means, that if you have a standard install of a M$ OS, you will have some ports that are 'open', meaning a potential door of communication. If you have changed that or use a firewall or other network device of that type, then your ports will be closed, or 'stealthed' or just not responding, whatever you like to call it.

    Even on a modem, you will be assigned an IP. If that IP is public, then you can be solicited. You may only be on for an hour, and maybe you get scanned 1 time, maybe 100 times. All depends.

    Sometimes you can have an IP in your router of say (for example only) 2.2.2.2, and maybe your gateway is 3.3.3.1, both assigned by DHCP (dynamically, meaning different all the time). The IP 2.2.2.2 could be internal to your ISP, and the gateway 3.3.3.1 is a computer within your ISP that might be doing NAT for you. So in this picture, you might have a router that is doing NAT. It stops unsolicited packets. Cool. But your IP is internal to your ISP which is in turn doing NAT, meaning you are protected before any packet ever gets to you. Meaning, maybe you don't even need a router with NAT.

    So this leads us to the question. Can you open a port for inbound communication when using a router without the router being involved? The short answer is probably, NO. The reason is that a router is managing the ports for all traffic. If your computer is the DMZ computer, then the router does not monitor traffic to that port, or more than likely just ignores it. If you turn off NAT (not possible on all routers), then no monitoring at all happens, and if your computer has no firewall, then all ports that are open can send/recieve data. If you do have a firewall, the the firewall needs to know what ports to allow. The firewall applies even if you have NAT enabled of course.

    So this also begs the answer to another problem. Let's say start GreatGame.exe and want to host a game online. It uses port 10000. So your firewall is on and is configured to allow GreatGame.exe to pass data back and forth on port 10000.

    Ok, any computer in your house will see it. But now you have a router. The router is blocking that port 10000 by default, so that means your friend in Chicago cannot see your game. In your router you tell it to allow communications on port 10000 to happen. Generally you must also know what IP your computer uses as well. We can't just let every computer use port 10000 can we? Or should we?

    Ah, so maybe now your friend sees your game. Sweet. But, if you are double NAT by your ISP, you friend still may not see your game. My old ISP did this, and they refused to open a port for me, so that meant even though my firewall and router were allowing communications, my ISP was blocking it.

    That is the short version. I am not sure I have enough brain cells left for the long version.

    HTH.
    Sul.
     
  8. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812


    False... I have a server that sits in my DMZ constantly. I have had 1 High rated stop in what 4 years of it running out there. many people on cable modems that don't have Nat and are direct plugin. just because your exposed don't mean your going to get attacked. it also depends on your ISP and most in the US are good at protecting the LAN for which they run on.
     
  9. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    True... I have servers sitting in DMZ, sitting behind no router as well. Logs show many many unsolicited packets being sent.

    Also true that you could see what you describe certainly, but I highly doubt that if you have a public ip (truly public) that you don't get scanned all day every day on dmz. Unless your ISP is helping you.

    I have watched too many logfiles and turned in grosse offending IP's to know any different.

    Also true that just because one is plugged in live to the net does not mean that a format is forthright in coming. However, I would not rule it out depending on the setup.

    Take it all in context..

    Sul.
     
  10. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    This debate got kinda off-topic.

    1/ You simply cannot host servers on your LAN without opening and forwarding ports required by the given server application (or placing the whole server to DMZ, which is usually an unneeded overkill).

    2/ The security of this first of all depends on how secure is the server application itself. If you want to host a gaming server running a old cracked copy of some game which is never updated and patched, then it sounds like a sure way to hell. :p
     
  11. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Yes..their PCs are directly under constant attacks, port scans, etc. So now..they have to pray that their software firewall (IF they have one) will work, will not fail, is not corrupted, and protects their computer.

    Supporting PCs as a small business consultant for a long long time...and prior to that..working at a computer IT firm...I noticed a correlation. PCs plugged directly into broadband modems..obtaining a public IP address...far more likely to be infested..versus PCs that were behind basic NAT routers. Whenever I walked up to a PC to troubleshoot it..and noticed it was plugged right into that Motorola Surfboard, or old Speedstream DSL modem...I knew I was in for many hours of agony fighting infestations.

    Same goes for working on servers hosted in data centers, or other servers or computers in business networks....I can't count how many times some wanna be consultant took a server at some business and put it in the DMZ of some router...it got hacked, he was out, I'd walk in..thank him for giving me his business, and I'd go to work locking it down.
     
  12. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Sure you can.

    You can build ACLs...make those ports available only to certain remote IP addresses (such as port 25 to your Exchange Server..only allow access to a mail host), or require a VPN from remote users to access a publish application (such as Outlook Web Access, or Terminal Server).
     
  13. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812

    LOL now thats thinking outside the box. :argh:
     
  14. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    I really love this "hardware" firewall argument. You know what, all they do is using a stripped-down (embedded) Linux/BSD/whatnot distro with a software firewall (iptables/ipfilter/packetfilter/...) :D

    Yeah... and guess what - all of the above still needs an open port to work. ACLs or not, you are still opening ports in your firewall. You still can't host any game server without opening and/or forwarding ports in your firewall, whether the access is restricted to selected IPs or not. So, no - sure you can't. Closed ports -> no communication.
     
    Last edited: Aug 14, 2008
Loading...
Thread Status:
Not open for further replies.